ClawHub

Voice Log

v0.1.5

Background voice journaling with Soniox realtime STT for OpenClaw. Requires SONIOX_API_KEY. Get/create your Soniox API key at https://soniox.com/speech-to-te...

2· 632·4 current·4 all-time
byAnej Gorkič@easwee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, package.json, SKILL.md, and scripts all show a voice-journaling daemon that captures microphone audio and streams to Soniox realtime STT using a SONIOX_API_KEY. Required binaries (node and a microphone capture tool) and the Soniox API key are appropriate and expected for this functionality.
Instruction Scope
Runtime instructions are scoped to starting/stopping a local daemon, maintaining a 60-minute rolling text log, and summarizing recent minutes. The SKILL.md says the daemon environment forwards only SONIOX_API_KEY (and language hints), but the control script actually copies several host env vars (PATH, HOME, LANG, LC_ALL, XDG_RUNTIME_DIR, PULSE_SERVER, ALSA_CONFIG_PATH, DBUS_SESSION_BUS_ADDRESS) into the daemon environment to support audio capture. Those copied vars are reasonable for audio access but are broader than the SKILL.md claim.
Install Mechanism
This is instruction-only with included JS scripts and a package.json. There is no remote arbitrary download in the skill itself. Running npm install will fetch @soniox/node from the npm registry (expected for Soniox integration). This is standard but does pull a third‑party package at install time.
Credentials
The skill legitimately requires SONIOX_API_KEY (declared in SKILL.md, package.json, and used in code). The code does not request unrelated credentials. However, there's a metadata inconsistency: the registry summary at the top of the submission claims 'Required env vars: none' while the embedded SKILL.md and package.json require SONIOX_API_KEY. Also, the control script forwards a handful of host env vars (see instruction_scope) — typically harmless but worth noting since SKILL.md states only the Soniox key is forwarded.
Persistence & Privilege
The skill runs a background daemon (detached child process) and stores state/journal files under ./ .data in the skill directory. always: false and no cross-skill or system-wide modifications are requested. Behavior (writing local files, PID, logs) is consistent with the described purpose.
Assessment
This skill appears to do what it says: record your microphone and stream audio to Soniox STT using a SONIOX_API_KEY, keep a rolling 60-minute text log, and let you start/stop and request recent summaries. Before installing: 1) Confirm you want continuous microphone capture and trust Soniox (audio is streamed to their realtime STT service). 2) Provide a Soniox API key only if you accept that audio and derived transcripts go to Soniox. 3) Be aware npm install will fetch @soniox/node from the public registry. 4) Inspect and monitor the created .data directory for stored transcripts and logs; rotate or delete it if you need longer-term privacy. 5) Note the small inconsistencies: registry metadata omitted the SONIOX_API_KEY requirement, and the script forwards a few host env vars (PATH, HOME, audio-related vars) to the daemon despite SKILL.md saying only the Soniox key is forwarded — this is likely benign (needed for audio capture) but worth knowing. If you want higher assurance, review the full (untruncated) daemon script and run the skill in a constrained environment or sandbox first.

Like a lobster shell, security has layers — review code before you run it.

latestvk978n28h623adzc7sf1gaxy9j581nep1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, arecord|rec|ffmpeg

Comments